1 The opinion in support of the decision being entered today is not binding 

2 precedent of the Board 
3 

4 UNITED STATES PATENT AND TRADEMARK OFFICE 

5 

6 

7 BEFORE THE BOARD OF PATENT APPEALS 

8 AND INTERFERENCES 

9 

10 

1 1 Ex parte RICHARD PAUL TARQUINI, RICHARD LOUIS SCHERTZ, 

12 and CRAIG ANDERSON 

13 

14 

15 Appeal 2007-0477 

16 Application 10/003,510 

1 7 Technology Center 2 1 00 

18 

19 



20 Decided: July 17,2007 

21 



22 

23 Before JAMES D. THOMAS, ALLEN R. MACDONALD, and JAY P. 

24 LUCAS, Administrative Patent Judges. 
25 

26 MACDONALD, Administrative Patent Judge. 

27 

28 

29 

30 

31 

32 DECISION ON APPEAL 

33 

34 

35 

36 

37 

38 AFFIRMED 



Appeal 2007-0477 
Application 10/003,510 



1 STATEMENT OF CASE 

2 Appellants appeal under 35 U.S.C. § 134 from a Final Rejection of 

3 claims 1 to 16. We have jurisdiction under 35 U.S.C. § 6(b). 

4 Appellants invented a method and computer readable medium for 

5 integrating a decode engine with an intrusion detection system. 

6 (Specification 1). 

7 Independent claims 1 and 10 under appeal reads as follows: 

8 LA method of detecting network-intrusions at a first node of a 

9 network, comprising: 
10 

1 1 identifying a frame as an intrusion by an intrusion detection 

12 application; 
13 

14 archiving event-data associated with the frame; and 

15 

16 decoding the event-data by a decode engine, the decode engine 

1 7 integrated within the intrusion detection application. 
18 

19 1 0. A computer-readable medium having stored thereon a set of 

20 instructions to be executed, the set of instructions, when executed by a 

2 1 processor, cause the processor to perform a computer method of: 
22 

23 identifying, by an intrusion detection application, a frame of 

24 data as intrusion- related; and 
25 

26 decoding, by the intrusion detection application, the intrusion- 

27 related data. 
28 
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1 The prior art relied upon by the Examiner in rejecting the claims on 

2 appeal is: 

3 Trcka US 6,453,345 B2 Sep. 17,2002 

4 (filed May 7, 1997) 

5 Porras US 6,704,874 Bl Mar, 9, 2004 

6 (filed Jul. 25, 2000) 
7 

8 The Examiner rejected claim 10 under 35 U.S.C. § 102(e) as being 

9 anticipated by Porras. 

10 The Examiner rejected claims 1-9 and 1 1-16 under 35 U.S.C. § 103(a) 

11 as being unpatentable over Porras and Trcka. 

12 Appellants contend that the claimed subject matter is not anticipated 

13 and would not have been obvious. More specifically, Appellants contend: 

14 1) As to claims 1-9, that the Examiner relies on the monitoring 

15 system 22 of Porras as corresponding to the "intrusion detection 

16 application," but the Examiner offers no support or showing that 

17 Porras' s translation module 32 (decode engine) is "integrated within" 

18 system 22 as required by claim 1. (Br. 6). 

19 2) As to claim 10, that the Examiner again relies on the 

20 monitoring system 22 of Porras as corresponding to the "intrusion 

21 detection application," but offers no support or showing that Porras's 

22 system 22 "decod[es] ... the intrusion-related data" as required by 

23 claim 10. Further, module 32 performs this function and module 32 is 

24 not part of system 22 of Porras. (Br. 8). 

25 3) As to claims 11-16 which depend from claim 10, Trcka does 

26 not remedy the defects of Porras. (Br. 8). 
27 
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1 The Examiner contends monitoring system 22 and translation 

2 module 32 are integrated in network based alert management system 10 of 

3 Porras. (Answer 8:20-9:9). 

4 We affirm. 

5 ISSUE 

6 Have Appellants shown that the Examiner has failed to establish that 

7 Porras describes "an intrusion detection application" having both 

8 "identifying" and "decoding" as required by claims 1 and 10? 
9 

10 FINDINGS OF FACT 

1 1 Appellants invented a method and computer readable medium for 

12 integrating a decode engine with an intrusion detection system. 

13 (Specification 1, 11. 7-9). 

14 Porras describes a network-based alert management system 10 (i.e., an 

15 intrusion detection application) meeting all the limitations of claim 10 and 

16 all the limitations of claim 1 except "archiving" (col. 3, 1. 16 to col. 4, 1. 25). 

17 Porras describes that system 10 includes fault monitoring systems 22 

18 for identifying intrusions (col. 3, 11. 30-37, and col. 3, 1. 54 to col. 4, 1. 1). 

19 Porras describes that system 10 includes translation module 32 (i.e., 

20 decoding engine) (col. 3, 11. 30-37, and col. 3, 1. 54 to col. 4, 1. 1). 

2 1 Trcka describes using archival data in a network security system 

22 (col. 11,11.27-48). 
23 
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1 PRINCIPLES OF LAW 

2 On appeal, Appellants bear the burden of showing that the Examiner 

3 has not established a legally sufficient basis for anticipation based on the 

4 Porras patent. 

5 Appellants may sustain this burden by showing that the prior art 



6 reference relied upon by the Examiner fails to disclose an element of the 

7 claim. It is axiomatic that anticipation of a claim under § 102 can be found 

8 only if the prior art reference discloses every element of the claim. See In re 

9 King, 801 F.2d 1324, 1326, 231 USPQ 136, 138 (Fed. Cir. 1986) and 

1 0 Lindemann Maschinenfabrik GMBH v. American Hoist & Derrick Co, , 730 

11 F.2d 1452, 1458, 221 USPQ 481, 485 (Fed. Cir. 1984). 



12 On appeal, Appellants bear the burden of showing that the Examiner 

13 has not established a legally sufficient basis for combining the teachings of 

1 4 Porras with those of Trcka. 

15 "Section 103 forbids issuance of a patent when 'the differences 



1 6 between the subject matter sought to be patented and the prior art: are such 

17 that the subject matter as a whole would have been obvious at the time the 

1 8 invention was made to a person having ordinary skill in the art to which said 

19 subject matter pertains.'" KSR Int'l Co. v. Teleflex Inc., 127 S. Ct. 1727, 

20 1734, 82 USPQ2d 1385, 1391 (2007). The question of obviousness is 

21 resolved on the basis of underlying factual determinations including (1) the 

22 scope and content of the prior art, (2) any differences between the claimed 

23 subject matter and the prior art, (3) the level of skill in the art, and (4) where 

24 in evidence, so-called secondary considerations. Graham v. John Deere Co., 

25 383 U.S. 1, 17-18, 148 USPQ 459, 467 (1966). See also KSR, 127 S. Ct. at 
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1 1734, 82 USPQ2d at 1391 ("While the sequence of these questions might be 

2 reordered in any particular case, the [Graham] factors continue to define the 

3 inquiry that controls.") 

4 In KSR, the Supreme Court emphasized "the need for caution in 

5 granting a patent based on the combination of elements found in the prior 

6 art," id at 1739, 82 USPQ2d at 1395, and discussed circumstances in which 

7 a patent might be determined to be obvious without an explicit application of 

8 the teaching, suggestion, motivation test. 

9 In particular, the Supreme Court emphasized that "the principles laid 

10 down in Graham reaffirmed the 'functional approach' of HotchkisSy 1 1 

1 1 How. 248." KSR at 1 1 (citing Graham v. John Deere Co,, 383 U.S. 1, 12 

12 (1966) (emphasis added)), and reaffirmed principles based on its precedent 

13 that "[t]he combination of familiar elements according to known methods is 

14 likely to be obvious when it does no more than yield predictable results." Id, 

1 5 The Court explained: 



16 When a work is available in one field of endeavor, 

17 design incentives and other market forces can 

1 8 prompt variations of it, either in the same field or a 

19 different one. If a person of ordinary skill can 

20 implement a predictable variation, §103 likely bars 

21 its patentability. For the same reason, if a 

22 technique has been used to improve one device, 

23 and a person of ordinary skill in the art would 

24 recognize that it would improve similar devices in 

25 the same way, using the technique is obvious 

26 unless its actual application is beyond his or her 

27 skill. 
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1 Id. at 1740, 82 USPQ2d at 1396. The operative question in this "functional 

2 approach" is thus "whether the improvement is more than the predictable use 

3 of prior art elements according to their established functions." Id. 

4 Under this framework, once an Examiner demonstrates that the 

5 elements are known in the prior art and that one of ordinary skill could 

6 combine the elements as claimed by known methods and would recognize 

7 that the capabilities or functions of the combination are predictable, then the 

8 Examiner has made a prima facie case that the claimed subject matter is 

9 likely to be obvious. The burden then shifts to the Appellant to show that 

1 0 the Examiner erred in these findings or to provide other evidence to show 

1 1 that the claimed subject matter would have been nonobvious. 
12 



13 ANALYSIS 

14 As to claim 10, the Examiner correctly shows where all the claimed 

1 5 features appear in the Porras prior art reference. (See Findings of Fact 

16 above.). 

17 As to claim 1 , the Examiner correctly shows where all the claimed 

1 8 features except "archiving" appear in the Porras prior art reference. 

19 As we have already found, Porras explicitly describes that system 10 

20 includes systems 22 and module 32. Thus, contrary to Appellants' 

2 1 contentions, Porras teaches a decode engine integrated within an intrusion 

22 detection application. Appellants have not established that the Examiner 

23 erred with respect to this contention. 
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1 Appellants arguments appear to be based on an erroneous reading of 

2 the Examiner's rejections (e.g., Answer 4:1 1-20). The Examiner's rejection 

3 of claim 1 reads in part: 

4 Regarding Claim 1 Porras teaches a method of detecting 

5 network-intrusions [detecting suspicious activities, such as intrusion, 

6 and based on that generating digital alerts] (Fig. 1 Item 22, and col. 1 

7 line 26 to line 28) at a first node of a network [Fig. 1, item 12], 

8 comprising: 

9 identifying [sensors 22 monitoring various host/network traffic 

10 for suspicious activities] frame [streams] as an intrusion by an 

1 1 intrusion detection application (col. 3 line 30 to line 37, and col. 3 

12 line 54 to col. 4 line 1); 

13 archiving event-data [raw, unprocessed alerts] associated with 

14 the frame [steams]; and 

15 decoding [translation module 32] the event-data by a decode 

16 engine [aggregation, that is combining alerts produced by a single 

17 monitoring sensor] (col. 6 line 2 to line 5), the decode engine 

18 integrated within the intrusion detection application (col. 4 line 1 to 

19 line 25). 
20 

21 Appellants interpret the Examiner's citation at the end of tlie 



22 "identifying" step as referring to only the immediately preceding "intrusion 

23 detection application," rather than the entire preceding "identifying" step. 

24 Appellants are in error as is shown by the Examiner's citation at the end of 

25 the "decoding" step above. The Examiner's discussions of both steps above 

26 are similarly structured in that they conclude with a citation preceded by 

27 "intrusion detection application." Appellants' interpretation of the first 

28 citation (identifying step) as referring solely to the "intrusion detection 

29 application" fails to acknowledge and give a reasonable meaning to the 

30 second citation (decoding step). 
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1 CONCLUSIONS OF LAW 

2 (1) Appellants have failed to establish that the Examiner erred in 

3 rejecting claim 10 as being unpatentable under 35 U.S.C. § 102(e) over 

4 Porras, 

5 (2) Appellants have failed to establish that the Examiner erred in 

6 rejecting claims 1-9 and 1 1-16 as being unpatentable under 35 U.S.C. 

7 § 103(a) over Porras and Trcka. 

8 (3) Claims 1-16 are not patentable. 
9 

10 DECISION 

1 1 The Examiner's rejection of claims 1-16 is Affirmed. 
12 

13 AFFIRMED 
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